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Abstract 

Because of the revolution and the success of the technique IBE (Identification Based Encryption) 
in the recent years. The need is growing to have a standardization to this technology to 
streamline communication based on it. But this requires a thorough study to extract the strength 
and weakness of the most recognized cryptosystems. Our first goal in this work is to approach to 
this standardization, by applying a study which permit to extract the best cryptosystems. 
As we will see in this work and as Boneh and Boyen said in 2011 (Journal of Cryptology) the BB1 
and BB2 are the most efficient schemes in the model selective ID and without random oracle 
(they are the only schemes traced in this model). This is right as those schemes are secure (under 
this model), efficient and useful for some applications. Our second goal behind this work is to 
make an approvement in BB2 to admit a more efficient schemes. We will study the security of our 
schemes, which is basing on an efficient strong Dime-Hellman problem compared to BB1 and 
BB2. More than that our HIBE support s + ID-HIBE compared to BBG (Boneh Boyen Goh). 
Additionally the ID in our scheme will be in Z p instead of Z p * as with BBG. We will cite more 
clearly all these statements in in this article. 
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1 INTRODUCTION 

IBE was proposed by Adi Shamir in 1984 [1] as a solution to the problem of the revocation of the 
public key and the requirement of the certificate in PKI. In IBE (Identification-Based Encryption) 
the public key can be represented as an arbitrary string such as an email address. It's corresponding 
private key is generated by a Private Key Generator (PKG) who authenticate users according to 
their corresponding identities. This idea was proposed by Shamir only as concept. And we will wait 
until 2001 at which Dan Boneh and Mathew Fanklin [2] propose an elegant scheme in the Random 
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Oracle, using the pairing. Their proposition open the door to a more efficient scheme (with pairing), 
we cite : Boneh- Franklin (BF) [2], Skai-Kasarah (SK) [3] under the model Randoms Oracles, Boneh- 
Boyen (BB) [4] under the model selective ID, Water [5] and Gentry [6] under Standard Model. These 
cryptosystems are the great themes of the cryptography IBE, because all the cryptosystems which 
comming later : [7,8] and others, are just their modified. 

After all these proposals several companies have begun working with IBE instead of the PKI. We can 
cite Voltage Security and Nortech. This seeks to balance the standardization of the communication, 
which is currently being prepared (already tried by IEEE [9]). But to do it we need a very thorough 
study because we need to consider many things. In this study we make a comparison between the 
main cryptosystems we have cited. 

The comparison in the IBE has been treated in a lot of papers, for example : Boyen [10] call to 
the standardization of BB1 (IEEE 1363.3) by showing its benefit. The same author [11] make a 
comparison between BB1, SK, BF. In [7] Kiltz-Vahl propose two cryptosystems which they have 
shown their advantage over that of Gentry and Kiltz-Galindo. Note that every time a cryptosystem 
is invented it begins to describe their advantages over others. Unfortunately all these studies are 
not conclusive. Because, either they do not take into account all the major cryptosytems, or the 
numbers of the factors at which the comparison is based are insufficient. In this work we will make 
a practical comparison between all the proposed cryptosystems, by integrating the most possible 
factors and proposing a suitable schedule. 

Usually the systems networks become more accessible and open, apparently an active adversary 
(even passive) may not be limited to eavesdropping, but may take a more active role. She can 
interact with honest parties, she may analyze some older responses, she can try to break some 
problem of Diffie Hellman used in the target cryptosystem... That's why it is out of habit and 
within the cadre of standardization, that the security of each cryptosystem will be checked by 
what is called studies of simulations. Those studies are introduced by [12], they are being done in 
advance to test the rigidity of a cryptosystem. But all of them require that the identity wishing to 
be attacked will be asked in the challenge phase. We call this, full domain. In 2003 Canetti et al. 
[13] proposed a weaker security model, called selective identity IBE (sID-IBE). In this model the 
adversary must commit ahead of time to the identity it intends to attack. In [14] Sanjit Chatterjee 
et al have presented an extension of this model at which the adversary is allowed to vary the length 
of the challenge identity. Which is not allowed in the sID model. Naturally any protocol secure in 
the s + ID model is also secure in the s-ID model, but the converse is not necessarily true. 
Even if the reduction from selective-ID IBE to fully secure IBE introduces a factor of N[4] (N will 
be at least 2 160 to make the problem bilinear rigid) in the security parameters of the system. Boneh 
and Boyen in 2004 [4] have proposed tow efficient schemes BB1 and BB2 under this model. The 
first one is in the approach of Commutative Blinding, it is an HIBE scheme based on the DBDHP 
(Decisional of Bilinear Diffie and Hellman Problem). Until the second is in the Exponent-Inversion 
approach, it is an IBE based on Dq-BDHIP (Decisional q-Invertible of Bilinear Diffie and Hellman 
Problem). 

As an IBE requires the use of a PKG to generate the private key, so alone PKG is insufficient. 
Since, it will be a concentration in one. To avoid this the works [15] [16] and others are proposed. 
All them are heavy, because for k authority in hierarchy it necessitate to generate k element in 
extract and in encrypt, in addition to k product of pairing in decrypt. This cost was reduced by 
Boneh, Boyen, Goh [17]. In [17] the authors propose a scheme where the ciphertext size and the 
decryption cost are independent of the hierarchy depth. The ciphertexts is always just three group 
elements and decryption requires two bilinear map computations. This reduction influence on some 
application such as Forward HIBE and Broadcast Encryption. 

But even the authors in [17] reduce the cost in the syntax of HIBE, their scheme requires that the 
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identity to be challenged will be in Z p *, because they necessitate it in the technique of the study of 
simulation to remove the master key g a . This limit the choice of the identities which is a restrict. 
More than that, their proposal was not familiarized with the notion of s + ID, and it is proven in 
[14] that if want to convert s-ID to s + ID we will make a degradation of h (h=v-v + , v is the length 
of the identity challenged, and v + is the target prefix). This give a more advantage to attack the 
cryptosystem, as we may have an advantage equal to he. 

Our second contribution behind this work is : To over come all this. Keeping the syntax of BB2 
(noting that BB1 and BB2 are considered until 2011 [18] as an efficient schemes in the sID Model), 
we will propose a scheme (with a little change in BB2) in the Commutative Blinding approach and 
which requires only 1 pairing in decrypt contrary to BB1. With the same manner, we will reduce 
the HIBE following BBG. This reduction, will help us to give a more efficient Forward HIBE and 
even Broadcast Encryption. By contrast to BBG our result HIBE support s + ID model and it can 
project in the Z p contrary to Z p * as with BBG. 

Organization 

Firstly we will divide our work in tow categories : First goal and second goal. 
We begging in the first goal by some preliminaries, section number 2.2 will be reserved to the 
comparison (in two level : complexity and security). Our final decision will be given in section 2.3. 
For the second goal we will also staring by some notions, it concerns the functionality of IBE, HIBE 
and their security, in addition to that we give some preliminaries concerning the problem of Diffie 
Hellman to be used. We reserve section 3.2 and 3.3 to our proposal for IBE and HIBE respectively, 
then we test the efficiency of our schemes compared to BB1, BB2 and BBG. In section 3.4 we 
demonstrate the utility of our scheme for Forward scheme. In the end we give a conclusion. 

2 First goal 

2.1 Some Preliminaries 

Before giving some of these preliminaries, we remember that our first goal about this work is to 
classify the main cryptosystems. The cryptosystem 's which are in competition are : Boneh Franklin, 
Skai Kasarah, Boneh Boyen (BB1, BB2), Water, Gentry. 

2.1.1 Relation of the Problems of Dime and Hellman 
2.1.1-1 Problem Bilinear of Dime Hellman 

Definition 1 : (Bilinear Diffie Hellman Inversion Problem (k-BDHIP) [5]). Let k be an 

integer, and x G Z*, P 2 G G*, P x = Y>(P 2 ), e:GixG 2 ^ G T . Given {P l ,P 2 ,xP 2 ,x 2 P 2 , ...,x k P 2 ), 

compute e(Pi,P 2 )* is difficult. 

Definition 2 :New Problem : SiE-BDHP (Simple Exponent Bilinear Diffie Hellman Problem). 
We express it for the first time in the literature : Let k be an integer, (Pi, P 2 ) in G\ x G\, x£Z q , 
given Pq, xP±, xP 2 , xP%, xP^, xP^. Compute xPq is difficult 

Definition 3 :(Bilinear CAA1 (k-BCAAl) [19]). Let k be an integer, and x G Z q *, P 2 G G 2 * 

, Pi = V {Pi), e:dxG 2 ^ G T . Given (P 1 ,P 2 ,xP 2 ,h ,(h 1 , ^P 2 ), .... (h k , ^P 2 )), with 

i 

hi G Z g , for < i < k are distinct. Calculate e(Pi, P 2 )( x + h o) is difficult. 

Definition 4 : (Bilinear Diffie-Hellman Problem BDHP [2]). Let G\, G 2 two rings with 
prime order q. Let e : G± x G 2 — > Gt be an application admissible and bilinear and let P be a 
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generator of G\. The BDHP in < G\, G 2 , e > is so : Given < P, aP, bP, cP > for a, b, c G Z q . 
Calculate e(P, P) abc G G 2 is difficult. 

Definition 5 : (Augmented Bilinear Diffie-Hellman Exponent Assumption q-ABDHP 

[6]). Let k be an integer, and x G Z*, P 2 G G* 2 , P\ = i>{P 2 ), e : G\ x G 2 — > Gt, given 
(P 1 ,x k+2 P 1 ,P 2 ,xP 2 ,x 2 P 2 ,...,x 2k P 2 ). Calculate e{P 1: P 2 ) xk+1 is difficult. 

Definition 6 : Problem calculator of Diffie Hellman : CDHP. Given P, aP, bP can we find 
or rather calculate abP ? 

Definition 7 : Problem Decisional of Diffie Hellman 

Given P, aP, bP, cP can we say that abP = cP ?. But this problem can be solved in polynomial 
time after using the pairing, for example if we prove that : e(P,cP) = e(aP,bP) so abP = cP. This 
strategy is valid to others problems for example the q-BDHIP and q-ABDHE 



2.1.1-2 Relation 

Firstly, we discuss and show the relationship between the problems of Bilinear Diffie Hellman, 
with which the studies of simulations of the cryptosystems in competition are based. Study the 
classification of these problems is useful, because the rigidity of these studies is based on them. So 
we have : 



BDHP (1) 
BDHP (1) 
BDHP (1) 
BDHIP (2) 
ABDHP (2) 



BDHIP (2) 
ABDHP (2) 
DBDHP (3) 
DBDHIP (4) 
D ABDHP (4) 



Relation and Classification 



We have classed DBDHP in class 3 compared with BDHIP and ABDHP, because, it can be calcu- 
lated in polynomial time using the Pairing. And we give the same rank to ABDHP and BDHIP, 
since until present, there is no relationship which can link these two problems, all we can say is 
that they belong to the same category (queries in the form exponentiations). 

As long as, DBDHP has a rank before that of DABDHP and DBDHIP, because, (ignoring that 
BDHP — ► ABDHP and BDHIP) the BDHP is rigid than BDHIP and ABDHP. Since theses lat- 
ter have complexity O{0) after [20]. So, the DBDHP is also rigid than DABDHP and DBDHIP. 
Recall that : BF (BDHP), SK (BDHIP), BB1 (BDHP) BB2 (DBDHIP), Water (DBDHP), Gentry 
(DABDHP). 

In the other part, IBE has been built to serve a broad category of a persons (in a classified area), 
using a single system of parameter. The only things that is change is the private keys, which are 
generated from a single master key for all the applications. So it may be that there exist enemies 
among the customers (the domains), who are agree to break the Master key of the authority from 
the syntax of the private key. So the success of this study related to the syntax of each private key. 
The private key of the cryptosystems in competition are in the form : BF has the form SiE BDHP 
{sQiD t for each i varied), that's of SK has the form BCAAl ( a+ jjt ID ) )■ BB1 is based on PDL, 
as so not to extract a, f3, w from respectively aP pu b, (3P pu b, ^Ppub- Also, we wouldn't calcu- 
late Pprive from rPp r i ve , since, if this will be easy, it will be easy also to associate a random r 
to(aH(ID) + f3) Pprive + w Pprive- So, breaking easily the cryptosystem as we have the division of 
two Pairing. For BB2 it has the private key following the form BCAAl ( Si+II ^ i+S2r ^ )- The syntax 
of the private key of Water is like BB1 based on PDL, as that of Gentry is under the form BCAAl. 
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As it is generally known the PDL has complexity O(y^) and the BCAAl has 0(^/q) [20], as it 
is from the category of the Problem Dime Hellman in form Exponentiations. For the SiE-BDHP 
we haven't a complexity exact, all we can say is that it is less than PDL and more than BCAAl, 
since PDL — > SiE-BDHP — > EBDHP — > BCAAl (EBDHP Exponent Bilinear Dime Hellman 
Problem [19]). So we have this classification following the rigidity of the private key : BF(2), SK(3), 
BB1(1), BB2(3), Water(l), Gentry(3) 

2.1.2 Random Oracle & Standard Model 

Random Oracle : In cryptography, an oracle is a random that answers all queries proposed at 
random and specific request (for more details we send the interested to[21]) 
The utilization of the Random Oracle has some dangers, we cite in this article : 
The Random Oracle responds with random values and therefore, it will be difficult to precise 
the suitability of its values with the conditions allowed. More, because of the random values of 
the Random Oracles which are difficult to adapt, the crypto systems under this model use in 
their demonstrations an arbitrarily values chosen. Which makes these cryptosystems unclear in 
their study of simulations (qn is not related directly to the syntax of the cryptosystem but it is 
arbitrary). The Random Oracle still has more danger and to knowing it we refer the interested to 
[22]. By contrast, in the Standard Model, which use any Random Model we are sure about what 
is happening, as we use the Mathematical formulas. But in the Random Oracle we communicate 
with a spirit random which hasn't any exact measure. 

2.1.3 Studies of Simulations 

The studies of simulations are invented by [12], they are being done in advance to test the rigidity 
of a cryptosystem. And in this article we cite : 

CPA : Is the abbreviation of Chosen Plaintext Attack ie during the studies of simulations the 
opponent has advantage to access to the encrypted of his chosen texts. 

CCA : It is an abbreviated of Chosen Ciphertext Attack, and we divide it into two parts : CCA1 
and CCA2. During CCA the adversary has advantage of access to the decrypts texts he has chosen. 
In the CCAl the opponent is less limited by comparison with CCA2. We must say that the CCA2 
is the most powerful among all these attacks. 

In 2003 Canetti, Halevi and Katz proposed an alternative strategy in the study of simulation, at 
which the adversary must commit ahead of time to the challenge identity. And so, the identity 
to attack must be declared in advance. This early model is referred as selective-identity attack 
(sID), while the Original Model is called Full-identity scenario (ID). According to [23] the selec- 
tive ID (sID-CCA/CCP) is less rigid than (ID-CCA/CCP). The ID-CCA is required to merit the 
Standardization. 

2.1.4 Advantage of the Cryptosystem 

In this section, we compare the advantage of each cryptosystem in competition. Recall that an 
advantage is done to learn the skill of an opponent to break a cryptosystem, basing on specifically 
mathematical probabilities. For our cryptosystems we have : 

Adv BF (Advantage of BF) = [(-^(i-gL) + i)(i-; )to -i] -§ „ ^(l-§)- ; Adv SK 

= (^j7j-)(l — |) 9D - For the two crypto system BB1 and BB2 we utilize a propriety demonstrated 
by Boneh Boyen [4] which say that : 

Let (t, qs, e)-selective identity secure IBE system (IND-sID-CPA). Suppose E admits N distincts 
identities. Then E is also a (t, qs, iVe)-fully secure IBE (IND-ID-CPA). So basing in this propriety 
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we have : AcIvbbi = £-2", ^- qs ) > AdvBBi = £-2™. As long as following [5] and [6] we extract easily : 
Advwater= 32( TO +i)g ' AdvGentry= £ + 4^ • To compare this advantages we take into consideration : 
QS & Qd < Qh < n << p. So we have : 

Advwater < AdvBF < AdvsK < AdvQentry < AdvsBi < AdvsB2- Consequently, Water is the most 
desirable as it has a very small advantage 



2.1.5 Anonymity 

Anonymity is a method to distinguish the identity of a person from the ciphertext. This property 
is more desirable in cryptography, because it limits the activity of an opponent in the beginning. 
As a result, the opponent will be incapable to know the person addressed in the ciphertext. For 
our cryptosystems only Boneh Franklin and Gentry are Anonymous 



2.1.6 Pairing 

A pairing is a bilinear map that takes two points on an elliptic curve and gives an element of the 
group multiplicative of n-th roots of unity. Among the pairing we cited : Weil, Tate, Ate, 77, but in 
the implementations cryptographic we often use Weil and Tate. 



Pairing of Weil 

The Weil pairing is defended as follows : e r :E[r] x E[r] — > fx r (/i r is the set of the r th root of the 
unity) such that : e r (P,Q) = ^ Q \ D P \ 



Pairing of Tate 

The Tate pairing is the application : 
t r :E(k)[r]xE(k)/rE(k) -> k*/(k*) r 

(P,Q)— >t r (P, Q)=/dp(Dq) modulo (k*) r . And to have an exact value, it can be defined as follows : 

tr(P,Q) = (fD P (D Q )) {qk ~ 1)/r 



2.1.7 Inverse of two Pairing 

The inverse of two pairing is calculate as [24] 

e(p^Qa) = e (Pi> Qi) e (P2, —Q2), and if we take Pi and P2 with the same order, we can so utilize 
the same algorithm of Miller to calculate the inverse of two pairing. The only things we change is 
instead of h <- /i 2 x we calculate h <- x also instead of 



The calculation of the pairing is ineffective until the invention of the algorithm of Miller in 1986. 
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Miller(P, Q, r) 



Input : r = (r n ...ro) (binary representation ), 

P G E[r](c E(F q )) and Q G Gi(c 
Output : f r , P {Q) G G 3 (C F* fe ) 
T <- P 

for i = n - 1 to do 

1 : T <- [2]T 

/i Wi x i^qj 
?i is the tangent to the curve in T. 
V\ is the vertical to the curve in [2]T. 

2 : if ri=l then 

/l <~ /l X i, 2 (Q) 

^2 is the line passing through the point TP 
V2 is the vertical to the point P + T. 
Output : Return j\ 



2.1.8 Haching on an elliptic Curve 

In the cryptosystem of Boneh and Franklin there is, the problem of Hashing Function in an elliptic 
curve selected. And to do it we remember the method suited by Boneh Franklin 

Map to point 

0. Project the ID using : H x : ID G {0, 1}* — > y G F p 

1. Calculate x = (y 2 - 1)5 = (y 2 - l)^ 1 G F p . 

2. Let Q = (xo,yo) G E(F p ) after calculate Qid = IQ G G. 

3. Output MapToPoint(yo) = Qid- 

2.1.9 Cryptosystems in Competition 

The cryptosytems in competition are Boneh and Franklin, Skai Kasarah, Boneh Boyen, Water, 
Gentry. In this article we choose them, taking into account the most recent changes to make them 
effective. So for Boneh and Franklin we prefer to use that of Galnido [25] instead of the version of 
Boneh and Franklin. Because Galnido provide reduction in the advantage of Boneh Franklin. More, 
this latter is valid only on supersingular curve, as it uses symmetric pairing. By contrast, Galnido 
use asymmetric pairing of type II and he established his argument based on them. Following [26] 
the asymmetric pairing, with which we can use ordinary curves are more convenient in implemen- 
tations than the symmetric one. 
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Boneh-Franklin (Galindo-Full Version) 
Setup. Let (Gi, G2, Gt, VO a bilinear group. Choose a generator 
P 2 G G 2 and set Pi = ip(P 2 )- Next pick si — Z p 
and set Q pu b = sP 2 G G 2 ->■ P pu fc = sPl G Gi*. 
Choose cryptographic hash functions Hi : {0, 1}* « — G 2 * , 
H 2 : Gt < — {0, 1}", H 3 : {0, 1}" x {0, l} n <— Z p *, 
H A : {0, l} n < — {0, l} n . The message space is M= {0, l} n 
and the ciphertext space is C = G\* x {0, l} n x {0, l} n . 
Extract. For a given string ID G {0, 1}*, compute Qjd = H\{ID) 

and set the private key dio to be djo = sQid G G 2 *. 
Encrypt. To encrypt M G 0, l n under identity ID, compute 
Q ID = Hi(ID) G G 2 *, choose a i— {0, l} n , 
set r = H 3 (a,M) G Z p * and finally 

c = < rP^e^fei.Me^w > 

where = e(P pub , Qid) G G t . 
Decrypt. Let C = < U, V,W > G C be a ciphertext under the identity 
ID. To decrypt C using the private key dio G G2* do : 

1. Compute V®H 2 (e(U,d ID )) = a. 

2. Compute W ® H 4 (a) = M. 

3. Set r = P 3 (cr,M). Check that U = rP. 
If not, reject the ciphertext. 

4. Output M. 



Sakai-Kasaharah (ChenCheng-Full Version) 
Setup. Let (Gi,G 2 ,Gt,*P) a bilinear group. Choose a generator 
P 2 G G 2 and set Pi = ifj(P 2 ). Next pick si — Z p 
and set Q pu b = sP 2 G G 2 * — > P pu b = sP\ G Gi*. Choose 
crypto graphic hash functions H\ : 0, 1* < — G 2 *, 
H 2 : Gt < — {0, 1}™, Pf 3 : {0, \} n x {0, l} n <— Z/, 
P 4 : {0, l} n < — {0, l} n . The message space is M= {0, l} n 
and the ciphertext space is C = Gi* x {0, l} n x {0, l} n . 
Extract : Given an identifer string ID a G {0, l} n of entity A, M p k 

and M s k, the algorithm returns ^=7^7^775^ P2 
Encrypt : Given a plaintext m G M , ID a and M p /%, 
the following step are formed : 

1. pick a random a G {0, l} n and compute i=H^(a, m) 

2. Compute Q A = H 1 (ID A )P1 + P pu6 , g r =e{P u P 2 ) r 

Set the ciphertext to be G = (rQA,cr ® H 2 (g r ), m ©iT^cr)) 
Decrypt : Given a ciphertext C = (U,V,W)gG, IDa, c^a 
and Mpfc, follow the steps 

1. Compute g'=e(?7,d J 4) and a' = V © #2(5') 

2. Compute m'=W © P 4 (cr') and r'= H 3 (a',m') 
3.1f U / r'(H 1 (ID A )Pi + P P ub) output _L 

else return the m' as the plintext 
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Boneh-Boyen 

BBl(Full Version) 
Setup : To generate IBE system parameters, pick w,a, 
/3,7 G Z p , and output, params = { P, Pi = aP, 
P 2 = /3P„ i-o = e(P, Pr } G d 3 x G t , 
masterk = (P,uj,a,f3) G G2 x Z p 4 . 
Let (71 and 52 be the respective generators of some 
bilinear group pair (Gi, G 2 ) of prime order p, And let 
e : G\ x G2 — s- Gt be a bilinear pairing map. 
The availability of three cryptographic hash functions 
viewed as random oracles graphic hash functions 
^ : {0, 1}* <— Z p , H 2 : G t <— {0, l} n , 
H 3 :G t x {0,l} n x Gix G 2 <— Z p . 
The message space is M= {0, 1}™ and 
The ciphertext space is C = Gi* x {0, 1}" x {0, 1}". 
Extract : To extract from masterk a private key djjj for an 

identity IDG {0, 1}' , pick a random rG Z p and output 
diD = (d = {u + (aHi(ID) + /3])r)P, di = rP). 
Encrypt : Given a plaintext m G M , IL'a and Mp^, 
the following step are formed : 

' c = M©ir 2 (fc = «s), 

r = J c = sP, 

I c 1 = H 1 (ID)sP 1 + sP 2 , 

t = s + H 3 (k, c, c , ci) mod p ) 
where M G {0,1} is the message, ID G {0, 1} 
is the recipient identifier, and s G Z p 
is a random ephemeral integer. 
Decrypt : Given a ciphertext C and a private key diD = (do,d\), 
compute, k = fj^g, s= t - H 3 (k, c, c , ci). 
If (A;, Co) / = ( Vq, sP ), output _L ; 
otherwise, output, M = c ^(i). 
BB2 (Version CPA) 
Setup outputs Msk < — (a,b) and 

Pub <— ( P, P a = aP, P b = bP, v = e(P, P)) 
for a, b G Pp chosen at random. 
Extract (Msk,Id) outputs 

Pvk Id i — ( r Id = r, .di d = a +Jd+br ^) for r G F p 
Encrypt(Pub, Id, Msg, s) outputs 

Ctx < — (co = Msg. v s , ci = sP a + s/dP, c 2 = sP 6 ). 
Decrypt(Pub, Pvkj d , Ctx) outputs 
Msg' j — c .e(ci +r Id c 2 ,d Id ) G G t . 
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Water (Naccache- Version CPA) 



Setup :Choose a secret parameters a e Z p at random, 
choose a random generator g G G and set the value 
51 = ag also choose at randomly g 2 G G. 
The authority choose a random value u' € G 
and a random n length vector U=(?/j) chosen at 
random from G. The publish parameters are 
params < g,<7i,<72,u',U > the master secret is ag 2 
Key Generation : Let v = (v\, ...,v n ) e ({0, 1}")" 
be an identity, Let r be random in Z p 
The private key d v for identity v is construe 
ted as : d v = (ag 2 + r(u' + Ya=i u i)^g) 
Encryption :A message M e G\ is encrypted 
for an identity v as follows. 
A value t G Z p is chosen at random 
The ciphertext is then constructed as : 
C=(e( 5l , 52 )*M,t.g, t.(«' + £?=i«i))) 
Decryption :Lct C=(ci, 02,03) be a valid encryption 
of M under the identity v. Then C can be 
decrypts by d v =(d 1 ,d 2 ) as : Cl ^g) =M 



Gentry (Full- Version) 



Setup :Thc PKG picks a random generators <g, hi,h2, h 3 > 
and a random a G Z p . It sets g\ = ag G G. It chooses a 
hash function H from a family of universal one-way hash 
functions. The public params and private master-key are 
given by params = <g,gi,/ii,/i2,/i3,H> master-key=a 
Key Gen :To generate a private key for identity ID e Z p , 
the PKG generates random r/£> j G Z p for 
i G {1,2,3} and output the private key 
diD={(riD,i,hiD,i ■ i G {1,2,3}, where 
hiD,i=-^TD(hi+(r ID:i g)) If ID = a, the PKG aborts. 
Encrypt :To encrypt m e Gt using identity ID e Z p , the 
sender generates random s G Z p and send the 
u=sfli + (-sID)g, 
v=e(g,g) s , 
w=m.e(g, h\)~ s , 
y=e(<7,/ i2 ) s e(<7,/ i3 ) s/3 
Above, for C=(u,v,w,y) we set /3=H(u,v,w) 
Decrypt :To decrypt ciphertext C=(u,v,w,y) with ID 
the recepient sets /3=H(u,v,w) and test wether 
y=e(u,h ID , 2 h l3 ID 3 )v riD < 2+riD ^ If the check 
fails, the recipient output _L. Otherwise, it outputs 
m=w.e(it, hiD,i)v VlD ' 1 



ciphertext C 



Justification of the Choose 

We are making our choose based on the recent modifications concerning the cryptosystems in 
competition. For that of Boneh and Franklin, we have justified the version of Galnido. As that of 
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Skai Kasarah, we prefere to use the version of Chen-Cheng [19] which is CCA secure. As far as 
concerned, the version of BB1 we will utilize the Random oracle version, such that BB1 has a lot of 
versions : Random Oracle, selectivelD, and also Standard Model. We will only play on the Hi, but 
we prefer the first one, because we have the cryptosystem of Water which has the same syntax as 
BB1 and is under Standard Model. As long as, that of Water we will use the version of Nackache 
which utilize the Words instead of the alphabet. And this reduce the complexity 

2.2 Efficient Comparison 

As we have signaled Xavier. Boyen in 2008 essayed to make the comparison [11] between Boneh 
Franklin, Skai Kasarah and BB1. By counting for example the numbers of the parameters for 
each cryptosystem, the groups associates, the propriety associates. More he has calling to the 
standardization of the cryptosystem BB1 [10] using the same method. Unfortunately his essay isn't 
practical for the raison that he don't compute the complexity exact (spatial and temporal) for 
each cryptosystem. He fixed only the basis and he bagun to compute following the number of the 
parameters. He posed some critters and he verified if only the cryptosystems has it or not without 
demonstrate any classification. By contrast, in our comparison we will follow another strategy. We 
pose a scale which we make in the consideration the utility of the propriety, this allow us to precise 
the best cryptosystem. 

2.2.1 Comparison in the level Security 

Before staring the comparison in the level of security we remember firstly the following things : 



BF 


SK 


BB1 


BB2 


Water 


Gentry 


RO 


RO 


RO & sID 


RO & sID 


SM 


SM 


BDHP 


BDHIP 


BDHP 


DBDHIP 


DBDHP 


Dq-ABDHP 


CCA 


CCA 


CPA 


CPA 


CPA 


CCA 


SiE-BDHP 


BCAA1 


PDL 


BCAA1 


PDL 


BCAA1 



To rank the crypto systems in direction security, we give the scale following the usefulness of each 
propriety. Concerning the model utilized : RO is the worst case as long as SM is the better, until sID 
is between them, therefore : RO (rank 3), sID (rank 2), SM (rank 1). But because of the very great 
dangers of RO [22] and as we presented a few of them in section 2.1.2 we double these coefficients 
in the table below. In the other part, because of the utility of the anonymity for the security, as it 
can early block the activity of the opponent we reducing the rank to for those that have it and 
we give 2 to those they don't have it. For the remaining criteria we follow the classification we done 
in the section 2.1.1 ; 2.1.4 
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Table 1 - classification in the level security 





BF 


SK 


BB1 


BB2 


Water 


Gentry 


Model 


6 


6 


4 


4 


2 


2 


Pro DH 


1 


2 


1 


4 


3 


4 


Avd 


2 


3 


5 


6 


1 


4 


Simu 








1 


1 


1 





PfOnu 

17 - ll priv 


2 


3 


1 


3 


1 


3 


Ano 





2 


2 


2 


2 





Sum 


11 


16 


14 


20 


10 


13 


Class 


{2sd) 


(5 th ) 


(4**) 


(6*) 




(3-) 



2.2.2 Comparison in the level Complexity 

In [10] [11] Xavier Boyen tried to establish a base, from which he tried to compte the time for the 
crypto systems that are affected. But we can say that his results are not accurate enough, because, 
he doesn't take into account some operations such as : inverse, multiplication etc. By contrast in 
our study we compte the most possibles operations. More our complexity can combine between 
spatial and temporal 

Complexity associate 

We assemble our own complexity in the following tables. 

With the fact that in table III we set the parameters, with a manner to reduce more possibly the 
calculation, for example, instead of placing g = e(Pi,P2)(in SK cryptosystem) in the Encrypt at 
which we will recalculate it each time, we publish it among the Params 
In the table IV the following symbol significate : 

C : Complexity ; Mul sca : Multiplication Scalar ; Expffi : Exponentiation in the finite field ; Invffi : 
Inversion in the finite field ; Mul f fi : Multiplication in the finite field ; pair : Pairing ; Inv of 2 pair : 
Inversion of two pairing 



Table 2 - Parameter Associate 



BF Ga 


SK CC 




sPi 


sP 1 ;g = e(P 1 ,P 2 ) 


Qjd (map to point) ;sQid 


s+H L (ID) P 2 


u=rP 2 ;e(P pub ,Q ID ) r 


Q = H 1 (ID)P 1 + P pub ;g r ;u = rQ 


e(u,d ID ) 


e(u,di D ) ;t'Qa 


BB1 


BB2 


Water N a 


aP 1 ;pP 2 ;e{P,P) ;v 


aP 1 -bP 2 -e{P,P) 


agi;v = e(gi,g 2 ) 


(u + r(aH 1 {ID) + 0))P; rP 


1 P 

a+ID+br r 


ag 2 + r(U' + Z n i =iU l );ig 


v s ;sP;H 1 (ID)sP 1 ;sP 2 


m.v s ; sP a ; sldP; sPb 


vt-tg-tiU' + Y, i= i n Ui) 


e(ci,di) '^0 ' sr 


c .e(ci +r Id c 2 ,d Id ) 


c e(c 3 ,ci 2 ) 
x ' e(c2,di) 
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Gentry 



= e(g,g);vi = e(g,h 1 );v 2 = e(g,h 2 );v3 = e(g,h 3 ) 

u ; Vq ; m.v 1 ; v^-v^ 
y = e(u, h ID , 2 + /3h IDt3 )v r ^,2+riD,^ ;w h IDt i)v r w 



Table 3 - Complexity associate 



BF Ga 


SK CC 


C(Mul sca ) 


C(Mui iCO )+C(pair) 


C(map to po'mt)+C(Mul sca ) 


C(Inv ffi )+ C{Mul sca ) 


C(Mul sca )+C{paii)+C(Exp ffi ) 


2C(Mul sca )+C(Ex Pfft ) 


C(pair) 


C{p&ir)+C{Mul sca ) 



BBl BB2 




2C(Mul sca )+C(pa,ir)+C(Exp ffi ) 


2C(MuZ sca )+C(pair) 


2C(Mul ffi )+ 2C(Mul sca ) 


0(7^/^)+ C(M«i sm )+C(M«I //! ) 


3C(Mul sca )+C(Exp ffi )+C(Mul ffi ) 


3 C{Mul sca )+C{Exp ffi )+2C(Mul ffi ) 


C(Inv of 2 pair)+C(£xp//j)+C(MuZ sco ) C(Mulf fi )+C(pair)+C(Mul sca ) 


Water Na 


Gentry 


C(M< ca )+C(pair) 


4C(pair) 


4 C(MnI sm ) 


3 C(Mul sca )+C{Inv ffi ) 


3 C(Miii aco )+C(£xp //i )+ C{Mul ffi ) 


2 C(Mul sca )+ 4C(Ex P f fi )+C(Invf fi )+2C(Mulf fi ) 


C(Mul ffi )+C{lnv of 2 pair) 


4C(Mu/ //i )+2C(pair)+ 
C(Mul sca )+2C{Exp ffi ) 



Observation :To calculate the Multiplication Scalar we consider in this article that the ope- 
ration of adding and doubling are equal so for 

example : (U' + ^=1™^) ^ s considered as one Scalar Multiplication. 



Complexity Neighboring 

In this section we begin to fix the complexity for each cryptosystem. We can say that they are 
a complexity neighbor, since we do not take into account : addition, subtraction, calculation of 
hashed functions... More we balance between the complexity of square with that of multiplication. 
Our method help us to have a nearest comparison between the cryptosystem 's in competition, 
because we will concentrate only on the main arithmetic (operation used) : multiplication, square, 
exponentiation, scalar multiplication in each cryptosystem. 
Following [27] we have : : 

1. C(compute of m x n) = 0({logn) 2 ) 

2. C(compute of gcd(m, n)) = C(compute of to -1 ) = 0((logn) 3 ) = C(compute of vrT 1 (mod n)) = 
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0{{lognf) 

For the exponentiation we consider in this article the algorithm Right-to-left binary exp [28] which 
has complexity equivalent to : 

(^lgn)Mu + (Ign)Sq = (| lgn)Mu (as declared C(Mu)=C(Sq) ). Those complexity are not a per- 
suade complexity and to make an exact one we will use the newest method used in the literature. 
But this help us to order the main operation in arithmetic, as [29] we have according to those 
complexity : C (multiplication) < C (inverse) < C (exponentiation) 

In [11] Boyen balance between exponentiation x n and the scalar multiplication [n]P as we can apply 
the same operations to crush the n. This is not true, because we must consider for [n]P an additional 
complexity : 

Following [29], in jacobian coordinate we have : 
C(ECADD)=12Mu+2Sq=140((/o#n) 2 ) (C(Mu)=C(Sq) the Z + 1) 
And C(ECDBL)=7Mu+5Sq=130((/o#n) 2 ) (a / -3) 

With EC ADD : designs elliptic curve point adding P+Q, ECDBL : designs elliptic curve point 
doubling 2P. 

Also following [29] and using NAF algorithm we have : 

C(dP)=(n-l)ECDBL+^^ECADD=13(n-l)0((/o 5 n) 2 )+14^3^0((/o ff n) 2 )=f (n-l)0((logn) 2 ). 
And C(2 n P)=4nMu+(4n+2)Sq=(8n+2)0((/o 5 n) 2 ) i.e for d=2 n . 
According to algorithm Maptopoint we have : 

C(Maptopoint)= C(l square) + C(l cubic root) + C(l multiplication scalar) 

So : C(Maptopoint) = 0((logn) 2 ) + 0(lglgn) + ^ (n-l)0((/ogn) 2 ) (complexity of the cubic root 

is 0{lglgn) following an algorithm in [28]) 

For the complexity of the pairing we will take into consideration, as possible all the reduction we 
can apply to reduce the pairing. We take for example Tate because Weil is heavy (two time bigger 
than Tate). So we have : 

C(pairing=Tate)=C(Miler)+C (Exponentiation), since t r = (f r ) r 
With a naive calculate we have : 

Starting with the complexity of the algorithm of Miller. We neglect as customary to accelerate 
the compute, the second tranche of the algorithm of Miller supposing that our r (for example 
r=3 97 + 3 49 + 1, so we can neglect 3 bit in front of 94 bit) is cruse. 

k ^ ^ 1 

Firstly, we have t r = (f r (DQ)) 3 ~^~ = ( ^ r f ^{s)^ ) 3 ~ r ~ w ^ n = [Q+S]-[S] for an arbitrary chosen 
S in the elliptic curve concerned. The algorithm of Miller is resumed in table 4 

In this algorithm, we need three stages : (1) computation of ECDBL (we neglect ECADD) (2) 
computation of l\(Q + S), h(S), v\(Q + S),vi(S) (3) update of f\ 

According to [29] we have so : C (Miller )= r log2(4Mu k + 2Sq k + (6fc + 7)Mu + 7Sq) with r log2 
is the number of iterations. If r is in the same level of security as n, we will have : 
C(Miller )= n log2(4Mu fc + 2Sq k + (6k + 7)Mu + 7Sq). 

NB : 

1. Even if we are basing in a work[29] made in 2003, but this complexity is nearest to the one[30] 
done in 2009 section II. 2.1. And in this latter the author don't take into account h(Q + S), 
vi(Q + S), multiplication : h(Q + S) x vi(S), h(S) x v x {Q + S) 

2. k designs the embedding degree of the field used. For example F p k ; Mu k : multiplication in 
this field ; Sq k : squaring in this field. 

3. Certain work use twist which eliminate the calculate of v\, this is possible for embedding degree 
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Table 4 - first tranche 



Compute of '■ nrs t tranche 



Input : r = (r„...r ) (binary representation ), 

P G E[r}(c E(F q )) and Q G G±(c E(F qk )) 
S G Gi(C £7(F, fc )) 
Output : / r , P (Q) G G 3 (C F* fc ) 
T <- P 

/i <- 1 
for i = n - 1 to do 
1 : T «- [2]T 

A <_ f 2 x MQ±g) x «i(g) 

71 ^ ^ X h(5) X v 1 (Q+S) 

h is the tangent to the curve in T. 
v\ is the vertical to the curve in [2]T. 



divided by 2, 3, 4, 6. But we don't take it into consideration in this work 

4. According to[31], for k=2 i 3-? Mu k = 3VMu; Mu k ~ Sq k so Sg fc =■ 

We take k=2*3- ? as an experiment embedding to make our comparison, this because of last step : 
step number 4. And the fact that C(Mu)~ C(Sq). So : 
C(Miller )= nlog2 ((6.3*5* + (6k + U))0((logn) 2 )). 

For k=12 and in a level of security =80. We have :C (Miller )=28480 Log 2O(6400(/o#2) 2 ). 
C (pairing) =nlog2 ((6.3*5^ + (6k + U))0((logn) 2 ))+(l \gn)0((logn) 2 )) 
We move now to the inversion of two pairing : 

According to section 2.1.7 instead of calculate ^ 1 S 1 ffi 1 u = (/ri ' Pl(g ° l)) l\ , if Pi and P 2 have the 

same order r=n = we calculate only t r (D r (DQ 1 )) x t r (D r (DQ 2 )). This reduce the complexity 
from AMu k to only 2Mu k (as inversion in F p k is approximated to 4Mu k following [29]) 
Using this, the technique proposed in the section 2.1.7 and complexity given in [29] (first tranche), 
we have : 

Conversion of Tate Pairing)=nLog2(2(4Mu + 6Sq) + 2(3Mu + lSq) + 4(3kMu) + AMu k + 2Sq k ) 
+ lC(exponent)= (28+12k + 6.3 i 5- ? ')Mu+ § lognO(logn 2 )=nLog2(28+l2k+6.3 i &)0((logn) 2 ) + | 
lognO(logn 2 ) 

We will use all this complexity in the following section when we have ambiguity. 
Efficient Classification 

To classify our cryptosystems we compared them following each taps : Params, Extract, Encrypt, 
Decypt. So we have following the complexity in table 3 and the complexity declared in the previous 
section : 

It is clear from table 3 that :(BF — Gentry) p amms < (SK — ChenCheng) p a rams & Water p ar ams < 
BB2 P 

arams- To compare BB\p arams and G entry p arams we will compare only 2C(M ul sca )-\-C (Exp f fi) 
and 3C(pair). As we have ±f-(n - l)+|logn < (Log2 n ) (18.3^+ 3(6k+14)+|Logn), BBl Params 

< Gentry Params . 

So : (BF - Gentry) Params < (SK - ChenCheng) Params k, Water Params < BB2 Params < BBl Params 

< Gentry p arams . 

For the Extract, the fact that Mul sca has in its formulate an Mul and Sq multiplied by n, will help 
us in a more statement. The only ambiguity that we can have is between BF and BB1, but as we 
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have C(square root)<C(Mul) we will have : 

(SK - ChenCheng) Extract < BB2 Ex tact < (BF - Galnido) Extract < BBl Ex tract< Gentry Ex tract 

< Water Extract- 

In the level Encrypt we have regrouped the complexity for each cryptosystem, using the fact that 
an inversion in F k is approximated to 4Muk [29] (for Gentry) we find that : 

(SK - ChenCheng) Encrypt <BBl En cry P t & Water En crypt <BB2 En cry P t< Gentry Encrypt < (BF - Galnido) En a 
As far as for the Decrypt we have : 

(BF - Galnido) Decrypt < (SK - ChenCheng) Decrypt < Water D ecrypt < BB2 D ecrypt < BBl D ecrypt 

< Gentry Decrypt- The classification between (BF — Galnido) Decrypt - (SK — ChenCheng) Decrypt j 
as well as BB2Decrypt - BBlDecrypt and BBlDecrypt - Gentry Decrypt are clair. We have an ambi- 
guity between WaterDecrypt and BB2Decrypt, WaterDecrypt and (SK — ChenCheng) Decrypt- But 
as we have nlog2(28+12k+6.3\5^')+l > nlog2(6.3\5^+6k+14)+ f (n-1), because (14+6k)log2+l> 
4p(n-l) (we can take the minimal case k=2) we can so conclude. 



Table 5 - Classification 





BF Gal 


SKch-Chg 


BB1 


BB2 


Water 


Gentry 


Params 


1 


2 


4 


3 


2 


5 


Extract 


3 


1 


4 


2 


6 


5 


Encrypt 


5 


1 


2 


3 


2 


4 


Decrypt 


1 


2 


5 


4 


3 


6 


Sum 


10 


6 


15 


12 


13 


20 


Class 


(2 sd ) 


(1 st ) 


(5 th ) 


(3 th ) 


(4 th ) 


(6 th ) 



2.3 Final Classification 

As a consequent of all what we have seen before, we regrouped our results in the following table : 





BF 


SK 


BB1 


BB2 


Water 


Gentry 


Class TABLE 1 


(2 sd ) 


(5 tfl ) 


(4 th ) 


(6 th ) 


(1 st ) 


(3 th ) 


Class TABLE 5 


(2 sd ) 


(I st ) 


(5 tfl ) 


(3 th ) 


(4 th ) 


(6 th ) 


Sum 


4 


6 


9 


9 


5 


9 


Final Class\ 


(1 st ) 


(3 th ) 


(4 th ) 


(4 th ) 


(2 sd ) 


(4 th ) 



2.4 Propriety Associate 

In this section as [11] we also enriched our study with the additional properties such as : Multi- 
recipient encryption, Threshold secret sharing, Hierarchical identities. Our comparison is totaly 
difference from that of [11]. Because we do not mark only the property as [11] to the crypto 
systems, but we test the best crypto system which verify the property wished. 
We make firstly the following recall with a little details : 

Multi-recipient encryption (1) : Is the act of encrypting a single message to multiples users. 
So this priority requires a small Encrypt 

Threshold secret sharing (2) : Is the fact of dividing the key Master on several authorities, to 
avoid the concentration on one. And each of them has the advantage to calculate a corresponding 
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private key. So this priority requires a small Extract 

Hierarchical Identity (3) : Is the fact of arranging multiples identities in the hierarchy (many 
authorities classify in an hierarchy) using the same Params. So each of the super authority generate 
the corresponding key to its down. This priority requires Extract and Encrypt smaller. Its 
ranking is calculated as (Extract + Encrypt) 





BF 


SK 


BB1 


BB2 


Water 


Gentry 


M-r enc (1) 


5 


1 


2 


3 


2 


4 


Th s sh (2) 


3 


1 


4 


2 


6 


5 


Hi id (3) 


4 


1 


3 


2 


4 


5 


Sum 


12 


3 


9 


7 


12 


14 


Class2 


(4 th ) 


(I s *) 


(3 sd ) 


{2 th ) 


(4 th ) 


(5 th ) 


Specific Class Fi = 
Class\ +Class2 


(2 s *) 


(I s *) 


(4 sd ) 


(3 th ) 


(3*) 


(5 th ) 



3 Second goal 

In the following sections, we will give an efficient schemes IBE/HIBE in the model selective ID. A 
comparison in terms of performance and complexity with BB1 and BBG scheme is in favor of our 
scheme. 

3.1 Preliminaries 

To be familiarized with the difference between IBE and HIBE, we give in the following the func- 
tionality of each others. 

3.1.1 Functionality of IBE : 

An IBE system contains four basic components in its construction : 

Setup : A trusted central authority manages the parameters with which keys are created. This 
authority is called the Private Key Generator or PKG. The PKG takes a security parameter k and 
returns params (system parameters) and master-key. The system parameters will be publicly 
known, while the master-key will be known only to the (PKG). 

Extract : Takes as input params, master-key, and an arbitrary IDr, it returns a private key 
diD R - 

Encryption : When Alice wishes to encrypt a message to Bob, he encrypts the message to him by 
computing or obtaining the public key, and then encrypting a plaintext message M with params, 
ID Bob to obtain ciphertext C. 

Decryption : When Bob has C, he contact the PKG to obtain the private key Sec*, he decrypts 
C to obtain the plaintext message M. 

3.1.2 IBE security notions 

As it was known Boneh and Franklin define in [2] a chosen ciphertext security for IBE systems un- 
der a chosen identity attack. In this model the adversary is allowed to adaptively chose the public 
key it wishes to attack. In [13] Canetti, Halevi, and Katz define another notion it is a weaker notion 
of security. In this model the adversary commits ahead of time to the public key it will attack. 
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Before giving its functionality we recall firstly that the security of a cryptographic scheme com- 
bining the possible goals and attack models. The most important goal are : indistinguishability 
(IND/sIND), Semantic Security. Regarding attacks we have : chosen-plaintext attacks (CPA), 
chosen-ciphertext attacks (CCA). The relation between all this was given in [32]. 
Definition :IND-ID/sID-{CCA, CPA} 

Let r = (S,X,E,D) be an IBE scheme, and let A = (Aq, Ai, A2) be any 3-tuple of PPT oracle 
algorithms. For ATK = ID/sID-CPA, ID/sID-CCA, we say T is IND/sID-ATK secure if for 
any 3-tuple of PPT oracle algorithms A,| pr(l)-pr(2) | 6 neg , where 

' (id, 7 ) <— M*) 
(pms,mk) < — S(l l ) ; 



pr(i> 







((m« 
c < 
v ■ 



/m( 2 \id ch ),a) f- 

E(pms, id c h, 
o u o 2 
2 



A^ >1 '° 2 (pms, id, 7) 



>. 



A^ 2 (a, (id ch ,c)) 



The expression represent the oracles 0\,C>2- Additionally, mP^ and are required to have 
the same length ; neither A\ nor A2 are allowed to query 0\ on the challenge identity id c h, and 
A2 can not query O2 on the challenge pair (id c h, c). These queries may be asked adaptively 
(like CCA2 after phase 2), that is, each query may depend on the answers obtained to the 
previous queries. 



3.1.3 Functionality of HIBE 

Like IBE system, the Hierarchical Identity Based Encryption (HIBE) system consists of four algo- 
rithms [15] [16] : Setup, KeyGen, Encrypt, Decrypt. 

In HIBE, however, identities are vectors, a vector of dimension k represents an identity at depth k. 
The Setup algorithm generates system parameters, denoted by params, and a master key master- 
key. We refer to the master-key as the private key at depth and note that an IBE system is a 
HIBE where all identities are at depth 1. Algorithm KeyGen takes as input an identity ID = . 
. . , Ik) at depth k and the private key dio\k — 1 of the parent identity ID|k-l = . . . , Ik-i) 
at depth k -1, and then outputs the private key dm for identity ID. The encryption algorithm 
encrypts messages for an identity using params and the decryption algorithm decrypts ciphertexts 
using the private key. 



3.1.4 The main approach of IBE 

We can classify the cryptosystems of IBE in three categories : 

• Full-Domain-Hash approach : In this model we project in the elliptic curve instead of the finite 

field, its prototype is summarized by the idea of Boneh- Franklin [2]. 

• • Exponent-Inversion approach : In this approach the identity key to be used in the Extract is 

as an inverse. The second scheme of Boneh-Boyen (BB2)[4], that's of Sakai-Kasahara (SK) [3], 
also Gentry [6] work with this approach. 

• • • Commutative-Blinding approach, defined by the first IBE scheme of Boneh-Boyen (BB1)[4]. 

It is based on the idea of creating, from two or more secret coefficients, two blinding factors that 
commute with each other under the pairing. The main quality that characterize this paradigm 
is the greater flexibility provided by its algebraic structure. Since the identity presented in the 
Extract is in the form linear. 
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3.1.5 Selective Identity IBE/HIBE Security Notions 

Selective Identity for an IBE function as follow, but we give only version CPA i.e without using 
the extraction decrypt queries in phase 1 : 
Init : 

The adversary outputs an identity ID* where it wishes to be challenged. 
Setup : 

The challenger runs the Setup algorithm. It gives the adversary the resulting system parameters 
params. It keeps the master-key to itself. 

Phase 1 : 

The adversary issues queries qi,-..,q m where query qi is : 

- Private key query < IDi > where IDi ^ ID* and IDi is not a prefix of ID* . The challenger 
responds by running algorithm KeyGen to generate the private key di corresponding to the 
public key < IDi >• It sends di to the adversary. 

Challenge : 

Once the adversary decides that Phase 1 is over it outputs two equal length plaintexts Mq, M\ G 
M on which it wishes to be challenged. The challenger picks a random bit b 6 {0, 1} and sets 
the challenge ciphertext to C = Encrypt (params, ID*, Mb). It sends C as the challenge to the 
adversary. 

Phase 2 : 

As phase 1 
Guess : 

Finally, the adversary outputs a guess bo € {0, 1}. The adversary wins if b = bo- 

We refer to such an adversary A as an IND-sID-CPA adversary. We define the advantage of the 
adversary A in attacking the scheme E as Adv £: A = | Prfb = 6o] - | The probability is over the 
random bits used by the challenger and the adversary. 

We say that an IBE (or HIBE ID = ID\,ID2, ...,IDk for a level k) system E is (t, qjr>, ^-selective- 
identity, adaptive plaintext secure if for any IND-sID-CPA adversary A that runs in time t, makes 
at most qm chosen private-key queries, we have that Adv £t A = I Pr[b = bo] - \ \ < e. 

3.1.6 Selective+-ID Model 

In Selective + -ID [14] we give a more power to the adversary. The power is a modification that will 
be given in the Challenge phase (prefix of the ID*). 

Challenge : A outputs two equal length messages Mq, M\ and an identity v+ where v+ is either 
ID* or any of its prefixes. In response it receives an encryption of M under v+, where is chosen 
uniformly at random from {0, 1}. This model is more general than the sID model, because the 
adversary is allowed to ask for a challenge ciphertext not only on ID* but also on any of its 
prefixes. 

A protocol secure in the selective + -ID model is obviously secure in the selective-ID model. 

3.1.7 Problem Bilinear of DifRe Hellman Assumption 

During all the following section, we use the multiplicative expression instead of the additive one to 
simplify the proof of security. So we will give the following definition in the multiplicative expression. 
Definition 8 : 
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((Decisional) Bilinear Diffie-Hellman Problem DBDHP). Let G\, G2 two rings with prime order 
q. Let 

e : Gi x G2 — > Gt be an application admissible and bilinear and let g be a generator of G\. 
The DBDHP in < G\, G2, e > is so : Given < g, g a , g b , g c , z > for a, b, c G Z q and z G G*2- we 
say that an algorithm A that outputs b G {0,1} has advantage e in solving the decision BDHP 
in G if : 

I Pr [ g, g a ,g b ,g c , e(g,g) abc ]-Pr [g, <A<A</ C , z ]| > e 

where the probability is over the random choice of generator g in G\, the random choice of a, 
b, c in Z q , the random choice of z £ G2, and the random bits of A. The distribution on the 
left is refereed as Pbdhp and the distribution on the right as Rbdhp- 

Definition 9 : 

((Decisional)k-Bilinear Dime Hellman Inversion Problem (Dk-BDHIP)). Let k be an integer, 
and x G Z*, g G GJj, e : G\ x G2 — > Gt, T G Gt- Can we make the following separation : 
I Pr [ g, g x ,g x ' 2 ,...,g xk , e{g,g)* ]- Pr [g, g x ,g x \ ...,g x \ T ]| > e 

Definition 10 : 

((Decisional)k-Weak Bilinear Diffie Hellman Inversion Problem (Dk — wBDHIP*)). Let k be 
an integer, and x G Z*, g G G\, e : G\ x G2 — > Gt, T G Gt- Can we make the following 
separation : 

|Pr [ g, h, g x ,g x2 ,...,g xk , e(g,h) x * }- Pr [g, h, g x ,g x \ ...,g xk , T ]| > e 
3.2 Efficient IBE 

Our second goal behind this work is to represent an efficient scheme in the model selective ID. This 
notion of security is weaker, Boneh et al prove that to pass from selective ID to full domain we 
will introduce a factor N. Additionally, as we have seen previously the BB1 is also more complex. 
We propose so to reduce this scheme or rather to propose a scheme in the approach Commutative 
Blinding and under the model Selective ID more reduced. 

3.2.1 Construction 

To avoid the use of two pairing in the Decrypt as with BB1, we collect in our approach the principal 
of the inverse in Extract as with BB2[4] and that's of the commutative Blinding[10], our procedure 
is as follow : 
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Our Scheme 



Setup. Let (Gi, Gt) a bilinear group. Choose a generator g G G± 

and set Ppu^ = g l £ Gi*. Calculate e(g,g) = x and e(g,g) a = x a = y. 
M p k= {Gi,Gt, P P ub 1 i x, y }. The Master secret key is M s k= {l,a} 
Message space is {0, l} n , ciphertext space is G\* x{0, l} ra x {0, l} n . 
Extract : Given an identifer ID a € {0, l} n of entity A, M p k and M s k 

°-+ID A ^ft^ +r ID A ID A a' + r' IDA ID A a + ID A 

Pick an r ID . A £ Z q , returns g r ' D A l =g l =g l , (riD A ,9 TiUa1 , 

Encrypt : Given a m G M , ID a and M p j~, the following step are formed : 

1. Pick a random s in Z q 

2. Compute z< IDA+0 )=e(g, g y( ID A+a) = ( x iD Ay y 

Set the ciphertext to be C = (g ls = P publ s , m.z< IDA+0? >) 
Decrypt : Given a ciphertext C = (u,v)eC, I Da, d,A and M p fc, follow the steps 
1. Compute e(u r ,aU) and output m= a+IE>A 



Firstly it is necessary to a fix a security parameter t. 1 and a follow the degree of security of this 
parameter. 

Correctness 

As we have : 

a + ID A a + ID A 

e(u riD A,g r '°A l )) = e(g lsriD A , g T ^A T )= e (g, g)< IDA+a \ our scheme is then correct 
Observation 

In our scheme we use the master key (s,a,P=^P2), the private key will be d>A={r i d A {a+Hi{I D a)))P ■ 
As a consequence the P in our scheme will be computed one time and will be reuse to each demands, 
contrary to [4]. Noting that the syntax d>A x of a given entity A±, we couldn't calculate the private 
key d,A 2 for another entity A2, because we don't know a and we cannot inverse s. Also we change 
tid a for each Identity. 

3.2.2 Prove of Security 

Before proving the security of our scheme, we note that /c^-BDHI, mean that we can use any 
k > (it is not linked to the number of users as with[4]). And it is of our choice (we can choose it 
2 or any number), by contrast with [4] we need at lest 2 50 (after [7]) for a 80 level of security. 
The security of our scheme is basing on Dfc~-BDHI assumption since : 

Theorem : Suppose the (t, k~ , e)-Decision BDHI assumption holds in G of size |G| = p. Then our 
scheme is (t 1 , qs, e)-selective identity, chosen plaintext (IND-sID-CPA) secure, with an advantage : 
adv scheme (f) > adv Dk ~- DBDHIP (t-0{T q)) for any q s < q . Where r is the time needed for an 
exponentiation in the following study. 

Proof. Suppose A has advantage e in attacking our scheme. We build an algorithm B that uses A 
to solve the Decision fe~-BDHI problem in G. Algorithm B is given as input a random (/c _ +2)-tuple 

{g,g a ,g a2 ,..g ak ,T) e G^ +1 x G T that is either sampled from Pbdhi (where T = e{g,gY/ a ) or 
from Rbdhi (where T is uniform and independent in Gt)- The goal of the algorithm B is to output 
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1 if T = e(g, g) l ^ a and otherwise. Algorithm B works by interacting with A in a selective identity 
game as follows : 

Setup. 

To generate the system parameters, algorithm B does the following : 

In the beginning algorithm A give B the identity I*=j^ that it intends to attack. The selective 
identity game begins, but algorithm B need to prepare to it the following step : 
Preparation step 

In the preparation step algorithm B choose an arbitrary x he compute b\x 
After he compute (implicitly) : f(a) = ^2i = i k Cia 1 

He choose an arbitrary ro then he compute (implicitly) r\ = fQ^2 i=l k Cia l ~ 1 
In the end he compute h=g^ a ^ and he publish this h 

Phase 1 : 

A issues at most qs private key queries, with q$ < q. Consider the i-th query for the private 
key corresponding to public key IDi / ID* . 

a + r(I-I*) 

We need to respond with a private key (r, h a ) 

The I represent a general identity ID and /* represent an identity to be attacked 

r is uniformly distributed in Z p . 

Algorithm B responds to the query as follows : 

a + ID A 

Firstly it is possible that the private key in our scheme may has the syntax d,A=g 1 instead 

a + IDj^ a f 7 T) a'-\-r'lDj^ 

of d,A=g ~ l =g~ + i ~ = g 1 • But we need this latter to simplify the proof 
B pose + T\ he can calculate implicitly 

a Ei=l °i a 

= /H f x_ , __ri ,j _ 

a n»E l= i fc cia*- 1 E,=i* c ia i-\i-i*) y " 

= f( a ) ( x , n)J2 i= i k Cja'- 1 ,j _ 

_/(«) 



\ a ) ( X I rp_ ( T T*\\ 



./(a), 



a' + r > {!-!*)) 



With r^j 1 ^ which is easy to calculate by B 

But a'= fn is not it is a Master key for B like a. 

i=1 CiCX 1 



NB : (For the master key a, A can publish g a in system of parameters. To remove this a, 
B search for an a such that : g a g a = g a ) 

r — 
So B can calculate easily g as he know g r o and g r ° 

But g = g a (a ( >>=h <* which is a valid private key and so B can give A the 

a'+r'(I-I*) 

private key (i\h <* ) 

More B has not the advantage to calculate the private key for I* 
Challenge. 

A outputs two messages Mo, Mi G G\. Algorithm B picks a random bit b 6 {0,1} and a random 
P G Z p * . It responds with the ciphertext prepared as follow : 
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He have h s = = h l ' a = c u with l'=± 

And c 2 =MT (i ~ ) = T s h {x+n (or rather c 2 =MT )i ~ J = T s h {a+n ) 
So if T h = e(h,h)* he will have e(h,h)i^ x+I ^ = c 2 = e(h,h) l '( x+I ^ 

And he combine CT=(ci,c 2 ) = (// Q , e(/i, fr)'' (*+'*)) which is a valid ciphertext under ID* 
If Th is uniform in G\, then CT is independent of the bit b. 



Phase 2. 



A issues more private key queries, for a total of at most qs < q. Algorithm B responds as 
before. 

Guess. 

Finally, A outputs a guess b' G {0, 1}. If b = b' then B outputs 1 meaning T = e(g,g)&. 
Otherwise, it outputs meaning T / e(g,g)~. 

When the input k~ + 2-tuple is sampled from Pbdhip (where T = e(g,g)*) then As view is iden- 
tical to its view in a real attack game and therefore A must satisfy |Pr[b = b'] - 1/2| > e. On the 
other hand, when the input k~ + 2-tuple is sampled from Rbdhip (where T is uniform in Gt) then 
Pr[b = b'] = 1/2. Therefore, with g uniform in G\, T uniform in Gt we have that : 

Pr [ g, g a ,g a \...,g ak \ e(g,g)± ]- Pr [g, g a ,g a \ ...,g<* k ~ , T ] | > | {\ ± e) - \=e \ . □ 
Noting that in IBE, s + -ID and s-ID are the same, the difference may be in HIBE. 

3.2.3 Discussion 

► Comparison with BB1 and BB2 

In the following we compare the efficiency of our scheme with BB1 (version IBE[11] but under 
selective ID) and with BB2. We have seen above that we make a little change in BB2. This change 
is effective as we reduce the complexity of BB2. More than that our scheme is also more efficient 
than BBl(version IBEfll]). All this statements are summarized in table 6. 

■ Compute of complexity 

With the fact that : 

For example Expffi^ /tt : Exponentiation in the finite field involved in */**, the * is the base of 
exponentiation, until the ** base of the exponent ; Pair : Pairing ; Inv : Inverse ; Mul : Multiplication. 
As we have : Complexity bbi — Cofnplexityo ur — 

(3PaiT+lDivff iGT/GT +3Mulff iGi/Gi + 7Exp ffiGi/Zq + 2Exp ffiGT/Zq ) - 

(2Pair+lDiv ffiGT/GT +2Mul ffiZq/Zq + lMul ffiGT/GT +3Exp ffiGi/Zq +3Exp ffiGT/Zq +lInv ffiZq/Zq ) 

lPak+4Exp ffiGi/Zq +3Mul ffiGi/Gi -Unv ffiZq/Zq -2Mul ffiZq/Zq -lMul ffiGT/GT -lEx PffiGT/Zq » 


And we have : Complexity bbi — Complexity our = 
(2Pah+lDiv f fi GT/aT +2Mvlff iGi/ai +lExp ffiGT/Zq +7Ex 

(2Pair+lDiv ffiGT/GT +2Mul ffiZq/Zq + lMul ffiGT/GT +3Exp ffiGi/Zq +3Exp ffiGT/Zq +lInv ffiZq/Zq ) 

Our scheme is then efficient than BBI and BB2. Noting that in our scheme and BB2, we have 
taking into consideration the use of r which we need it only in the proof. The ^ is calculate one 
time and we ruse its calculate for each demand. 
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Table 6 - 





BBl 






Params 


2Exp ff i Gi/Zri +lPa,ir+lExp ff i GT/Zq 






Extract 


2Mul ff' Za/ z Q + 2EX Pff>G l/Zo 






Encrypt 


lMul ffiZg/Zq +3Exp Gi /Zq +lExp fflGT/ZQ 






Decrypt 


2Pair+lDiv ffiGrr/Grr 






Sum 


3Pa,k+lDiv fflGT/GT +3Mul ff i Gi/Gi + 7Exp fflGi/Zq + 2Exp ffiGT/Zq 








BB2 




Params 


2Exp ffiGi/Zq +lPaiT 




Extract 


lMul ffiZa/Zo + Unv ffiZa/Za + lExp ffiG , /Za 




Encrypt 


lMulffi Zq/Zq +3Expffi Gi/Zq +lExp f fi GT/Zq +lMulffi Gi/Gi 




Decrypt 


lPa,ir+lDiv ff i GT/GT + lMul ff i Gi/Gi + lExp ff i Gi/Zq 




Sum 


2Pair+lD™ //lGT/Gr + 2Mul ff i Gi/Gi + 7Expffi Gi/Zq +lInv f fi Zq/Zq + 2Mul ff i Gi/Zq 






Our 


Params 


lExp ff i Gi/Zq +lP&ir+lExp ffiGT /z q 


Extract 


lExp ffiGi/Zq +2Mul ffiZq/Zq +Unv ffiZq/Zq 


Encrypt 


tMul ffiG ^ /Grr +2Exp u%GfT/ZQ +lExp Gi/Zq 


Decrypt 


lPair+lDivf ficlT /GT +lExp f fi Gl/Zq 


Sum 


2Pa,k+lDiv fflGT/GT +2Mul ff i Zq/Zq + \Mu\ SHgtIGt + 3Exp fflGi/Zq +3Exp ffiGT/Zq 


+lInv ff i Zq/Zq 



■ Concrete Comparison : Technique of Boyen 

Using the technique (or rather the base) of Boyen [11], we obtain so the following result. But, 
to balance the comparison between the scheme, we consider that BBl functions with symmetric 
pairing as our scheme and BB2. 



SS @ 80-bit security level 




BBl 


BB2 


Our 


Extract : 


4 


2 


2 


Encrypt : 


108 


108 


106 


Decrypt : 


320 


222 


222 


Sum 


432 


332 


330 


MNT @ 80-bit security level 




BBl 


BB2 


Our 


Extract : 


0,4 


0,2 


0,2 


Encrypt : 


100 ,8 


100,8 


100,6 


Decrypt : 


320 


220,2 


220,2 


Sum 421,2 321,2 


321 



SS : Curve Supersingular 
MNT : Curve MNT 



So according to these result, our scheme is more efficient than BBl. It's complexity is nearest to 
BB2, but we will confirms that our scheme is efficient than BB2. As this latter is basing in its study 
of simulation in Dk-BDHIP, with k is linked to the request identity. By contrast, our scheme is 
basing in D/c~-BDHIP, k~ << k. So our scheme is more efficient than BB2 according to the result 
od Cheon[20]. 
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3.3 Efficient HIBE 



3.3.1 Our Construction 

As we have cited above, Boneh ,Boyen and Goh [17] have proposed an efficient scheme. This scheme 
reduce the ciphertext of an HIBE from k parameters to a shorten one of only three parameters. And 
the Decrypt from k product of pairing, to only two pairing. But [17] necessitate that the use of the 
identity to be chosen will be taken in Z* which limit the selection of the identity, more than that 
[17] doesn't support the selective + ID. In the following proposition we overcome all this weakness. 



Our Scheme 



Setup. Let (G±,Gt) a bilinear group. Choose a generator g € G\ 
and set Ppu^ = g l € Gi*. Calculate e(g,g) = x and 
e(g,g) ai = x ai = yi, e(g,g) a2 = x a2 = y 2 ,...,e(g, g) av = x a " = y v . 
(or rather g ai , g a2 ,...,g av ). 

M pk = {Gi,G T , P P ub v x,y 1 ,g ai ,y 2 ,g a2 ...,y v ,g av }, M sk = {\,<n / 1 < i < v } 
Message space is {0, l} n , ciphertext space is G\* x{0, l} n x {0, l} n . 
Extract : Given an identifer ID a = (Ia\, ■ ■, Iaj) £ Z P J of depth j < v, 
of an entity A, public key M p f,, master key M sk returns 

a l+ I A 1 + a 2+ I A 2 +---+ a j + I A j 

For a depth j, we have dA=g ' 

a l+ I A 1 + a 2+ I A 2 +--- + a j + I A j t a j+1 a 

The private key is (g i , g~ , g~r~ , g -r) 

a l+ I A 1 + a 2+ I A 2 +--+ a j+ I A j 1 a j+1 av 

(or (e(g, g) i , e(g, g) t , e(g, g)~ e(g, g)^~)) 

Noting that for level j+1, choose Sj+i G Z p and calculate 

"1+lAj +<^2+lA 2 +---+ a j+ I A j + l ) +/ A J + 1 1 a j+2 ^ 

(5 ' ,9 l ,9 1 , -,9 1 ) 

Encrypt : Given m G M , ID a and M p fc, the following step are formed : 

1. pick a random s in Z q 

2. Compute z ^A l +a 1 +I A2 +a 2 +...+a j +I Aj ) = 

Ciphertext is C = {g ls = P publ s , g s , m .z s{I ^ +ai+lA2+a2+ - +lA ^) 
Decrypt : Given C = (u', u",v')gC, ID a-, dA, M p k, follow the step 



I t n (sj —l)a,j \ 

1. Compute e(u',dA) and output m= v e d A ) 



Observation 

a-l+I Al +*2+I A2 + - + Sj(°. j )+I Aj ^ ^ 

if The private key (g 1 ,gi ,g 1 , g l ) = (do, d\, ...d v -±) is a private 

key for the Entity in Hierarchy (Children). For the user the private key will be (do, g^ -1 )^ ), 
if we are in a level j . 

if 1 and dj, j G {l,...,v } follow a certain level of security. What is mean that they are belonging 
in 2* for a parameter t of security chosen in beginning (following for example the requirement 
of NIST) 
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3.3.2 Prove of Security 



The security of our scheme is basing on Dl — BDHIy/c (which mean Dl-BDHI With Condition, 
in the following the condition is g a =1) assumption since : 

Theorem : Suppose the (t,l,e)-Decision BDHI WC assumption holds in G. Then our scheme is 
(t r , <7s,e')-selective identity, chosen plaintext (IND-sID-CPA) secure such that : 
Adv scheme {t',q s ,e') > Adv l - DBDHI ™c(t,\,e) where t' > t-0(lq r). Where r is the time needed to 
make an exponentiation in the following proof : 

Proof. Suppose A has advantage in attacking our scheme. We build an algorithm B that uses A 
to solve the Decision I — BDHIyt/c problem in G. Algorithm B is given as input a random 
(l+3)-tuple (g, g a ,g a , g a ,l,T) G G\ l x Z q xGr such that g a =1, this input is either sampled 
from Pbdhi (where T = e(g, or from Rbdhi (where T is uniform and independent in Gt)- 
The goal of the algorithm B is to output 1 if T = e(g, g)*) and otherwise. Algorithm B works 
by interacting with A in a selective identity game as follows : 
Initialization. 

We note for the selective identity ID* = (Ii*, Ik*) € {Z p ) k which algorithm A intends to 
attack. If k < v, B concatenate by 1 to have exactly v (the depth of the hierarchy). 

Setup. 

2 1 I 

As algorithm A can give to B the (g,g a ,g a , ■ ■■,g a , 1 / g a =1) according to its choice. So 
depending on the identity ID* = (Ii* , ...,/&*) chosen. A choose an an arbitrary j from [l,k], 
for example j=2. He calculate (g~ T ^ , g~^ a , g -1 ?® 2 , ...,g~^ a , 1 / g al = 1). Implicitly he 
calculate : f(a) = £ i=0 V, t(a) = f(a) - /(0), also M = /(a) ^ /(0) = f'(a). s will be chosen 
according to some requirement in phase 1. 
Our goal is to test if B can output the private key 

dA = \h « « ,na,n c ,n « , n <* j=(«o, «i, 03, d v -2) tor a 

given v and an identity (Ii, ...,I V ) 

B first picks a random 71, 71, j v £ Z p * which will verify some conditions in phase 1 
Phase 1. 

A issues up to qs private key queries. 

In the first step, choose an identity ID=(ii, ...,I r ), such that r < v 

If r < k, he selections only r element from ID* and if r > k the adversary B concatenate k 

(the depth of /*) by 1 as we have seen above. 

To response to do, B can make the following step : 

B imagine (implicitly) that each a« (1 < i < v) can be writ as ai=ji + (— 1)W (*) 
Noting that B can make this, as he can choose a suitable ji such that g a = g^g 1 '- We 
privilege to use the syntax (*), because f(a)g al can be not calculate-see the following 

So iishmj^a. = Mjg(TS + (-lM = / , (a)ES7i-/ , («)ES(-l) i « < 
The first part /'(a) Ei=i 7« can De calculate easily (after exponent it by g), until the second 
may not. But if we regroup it, we can find that f'(a) Ei=i( — l) l o* = 
Eti a i_1 (-« + « 2 " « 3 + -a fc_1 + a k ) 

=- Eti ot + Eti - Eti « l+2 + - + (-i)'- 1 Eti «^~ 2 + (-i) fc Eti oc i+k ~\ 

To remove the overstepping a, B must choose its s such that s+k-l=l i.e s=l-k-l which imply 
that the most long factor : a* +s_1 is equal to 1. Thus B can calculate easily 

g m_m { _ Ii)Y:Aai = ^Sf^ (w . th h= ^( /( a)-/(o))(-/j) = g f(a){-i*)^ which is equal to 
a (f'H E£J 7i)(- Eti «'+ES «' +1 -EI5 a^+.-.+C-i)*- 1 Eti a !+fc - 2 +(-i) fc E£i a'+^X-JJ) = 
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5 (/'(a)E£?Ti)(-«-« 3 --(-l) fc « s+fc - 1 )(--f 2 *). 

h- I t+ I 2- I Z+---+ I k- I k 

For the second part : R = h <* .To output the exact key of ID at which all 

elements of ID operate in do, all the Ii chosen will be different from J|. And to benefit from 
/"(a), all Ii (for all 1 < % < r) of the requested identity ID, will be such that : Ii / n/| from 
each to other and this for n G N. Because he wouldn't obtain f"(a), but he may obtain 
another f"'(a). 
Observation 

A can choose (g~^ , g~ r i a ,g~^ a , g~ Ik - lC * , 1 / g a = l)instead of (g~^ , 
<7 _i 2 Q : g~ J 2 a2 ) ...^g~ r 2 a \ 1 / g a ' = 1) ( W e treat this later i.e only with i| to simplify the 
proof). So if B make a research exhaustive to know the exact place of I* for 1 < i < v, he 
need at most doing v research, which cost (v !), as v can be great. So for all 1 < i < v the 
Ii / nl^ V n G N. And this is an ideal case. 

To calculate R, B will calculate firstly d±. And to do it, B can calculate /febZffi) = /'( a ). 

After he calculate g -<* ( 2 ) = 5 s = gi wv-h) = h~ = d\. With this, B can 
calculate easily R, as he exponents only with I\ — I\ + I2 — I| + • • • + Ik ~ It ■ 
Now to calculate ds, ^4 . . . , d v -2, we have respectively the coefficients a, a 2 , a 3 , ...,q s+ ' u ~ 1 after 
a product of ak+i---,a v with /'(a). Effectively, all j overstepping 1 i.e l=j-x their a- 7 = a x , 
with x<l □ 

Thus with this manner B can responds to the private key 

a 1 +a 2 + ...+a k / t -/ f +I 2 -I 2 +■ ■ - + /fc -1% 1 "fc + l a k + 2 % 
dA = \h a f a ,hc,h a , ft, a , ft a J 

Challenge. 

A outputs two messages Mo, Mi G Gi. Algorithm B picks a random bit b G {0,1} and a 
random 1' G It responds with the ciphertext prepared as follow : 
He have 5 (/(«)-/(°))M 2 *) s = h %.a = h i' a = ^ with p= ± 

And C2=MT < a ^ +a ^--- +a k+ I l+ I i + -+ I l) = T s(a l +a 2 +...+a k +q+q+...+Il) 

So if Th = e(h, h) « he will have 

e(/i, /i)« (ai+a2+ --- +afc+/ i +/ 2+- +/ fe) = c 2 = e (/i, /i)''( ai+a2+ --- +afc+/ i +/ 2+---+ / fc) 

And he combine CT=( Cl ,c 2 ) = (h l ' a , e(h, fr,)''(«i+«2+...+a fc +/ 1 *+J 2 *+.. .+/*)) which is a vaM 

ciphertext under ID* 

If Th is uniform in Gi, then CT is independent of the bit b. 
Phase 2. 

A issues more private key queries, for a total of at most q$ < q. Algorithm B responds as 
before. 

Guess. 

Finally, A outputs a guess b' G {0, 1}. If b = b' then B outputs 1 meaning T = e(g,g)a. 
Otherwise, it outputs meaning T / e(g,g)&. 

When the input I + 2-tuple is sampled from Pbdhip (where T = e(g,g)*) then As view is 
identical to its view in a real attack game and therefore A must satisfy |Pr[b = b'] - 1/2| > e. On 
the other hand, when the input I + 2-tuple is sampled from Rbdhip (where T is uniform in Gt) 
then Pr[b = b'] = 1/2. Therefore, with g uniform in G±, T uniform in Gt we have that : 



Pr [ g, g a , g« 2 , g^ , 1, e(g, g) h ]- Pr [g, g<*, g<*\ , 1, T 

□ 



>| (k±e)-\- 
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3.3.3 Discussion 



Our first discussion will be about the problem used in the proof, which is Dl — BDHIwc- We 
have considers in the above that : 1 >> v (v is the depth of the hierarchy). But, this can make our 
proposition vulnerable to the cryptanalysis of Cheon [20] by comparison with Dl — wBDHI* in 
[17]. As in this latter, 1 < v (v the depth of the hierarchy), since in the [20] cheon prove that the 
strong Dime-Hellman problem has a complexity reduction 0(y/l) by comparison with PDL. So 
while k is great, while it will be easy to be cryptanalysis. To avoid this, we propose to consider 
l=v+P, we can use so a' = f3 instead of a to reduce the problem from Dl — BDHIwc to 
Dv — BDHIwc and even we can make less of this. 
We note that the relationship between the problem used is : 
I - BHIP — > l I - wBDHI* — > 2 I - BDHIwc (so : 

Dl - BHIP — > l Dl - wBDHI* — > 2 Dl - BDHI WC ). The relation 1 was proven in [17], until 2 
is easy to be proven. 

Even if [17], is basing on a strong problem of Diffie Hellman compared to our (this may be linked 
to the use of asymmetric pairing). But [17] has two weakness, which are the obliged use of the 
selection identity in the study of simulation in Z* instead of Z p as with our. This limit the 
selection of the identity to be challenged, since we couldn't use any were the bit 0. More than that 
the [17] does not support s + ID — CPA, by contrast our scheme is like BB1 support this notion. 
According to [14] to render [17] s + ID — CPA, the authors make a simple modification. Its proof 
yields a multiplicative security degradation by a factor of v, where v is the maximum number of 
levels in the HIBE. And to not obtain this degradation the authors add v-k factors or rather 
(v — k)Expc 1 in the original scheme (v is the maximum depth of the Hierarchies, until k is the 
depth of the identity selected ID*) 

By contrast with our scheme we don't need this, because our scheme is s + ID — CPA and it offer 
a competitive to [17] 



To see this we count in the following the complexity of B 


31, BBG, and our scheme : 




Extract user level k 


Encrypt 


Decrypt 


BB1 


(2k + 3)Ex PGl 


(2k + l)Exp Gl + \Exp GT 


(k + l)pairing + kMulc T 


BBG 


3Exp Gl 


(k + 2)Exp Gl + lExp Gr 


2pairing 


Our 


2Exp Gl or 2Exp GT 


(k + 2)Expg t + 2Exp Gl 


2 pairing+lMu/cy+lE^xpG! 



In this table we wouldn't take into account some complexity (like division of pairing, multiplicity 
by y\y2---Vk in our scheme, multiplicity by 53 in BBG...) 

According to this table our scheme is more efficient by comparison with BB1 and with even BBG. 
Because, Expc T which we count it as Expz , , (in the finite field) is small than Exp Gl (i-e in 
curve elliptic). 

This efficient is visible in Extract, and Encrypt (for the two scheme BB1 and BBG). For the 
Decrypt we have a little overstepping by comparison with BBG, but because of what we seen in 
the highest (in the point of view security), our scheme is so more efficient. 

3.4 Application 

3.4.1 Overview on Forward Encryption 

In [13] Canetti et al propose a forward-secure encryption scheme in the standard model basing on 
[16]. The (fs-HIBE) scheme allows each user in the hierarchy to refresh his or her private keys 
periodically while keeping the public key the same. Using this, so even if there are any were a 
compromise of long-term keys it does not permit the compromise of the past session keys and 
therefore past communications. Since exposure of a secret key corresponding to a given interval 
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does not enable an adversary to break the system for any prior time period. For more detail, we 
send the interested to [13] [33]. 

To admit a succeed Forward Security, the following requirements will be realizing : 

- New users would be able to join the hierarchy and receive secret keys from their parent 
nodes at any time. 

- The encryption does not require knowledge of when a user or any of his ancestors joined 
the hierarchy, we call this joining-time-oblivious. So the sender can encrypt the message as 
long as he knows the current time and the ID-tuple of the receiver, along with the public 
parameters of the system. 

- The scheme should be forward-secure. 

- Refreshing secret keys can be carried out autonomously, that is, users can refresh their 
secret keys on their own to avoid any communication overhead with any PKG. 

Eventually jointing [13] and [16] can give a scheme which can not verify these requirements. For 
more detail see [33]. To over come this the authors in [33], have proposed a scheme (basing in [13]) 
which conserve all these requirements, but they use only HIBE of [16], which give a heavy scheme. 
In the following we give a version at which we use our syntax of an HIBE (we declared it only). 
This reduce the complexity, but because of some circumstance, we wouldn't give in this article it's 
proof of security. We let it, in the future work and to the interested. 

Implementation : Declaration 

Firstly we note sA; Wi (/Di,...,/D t ,) : a node key associated with some prefix w of he bit representation 
of a time period i and a tuple (ID\, ...,ID V ). 

SK i j IDl j D \ : Key associated with time i and an ID-tuple (ID±, ID V ). It consists of sk keys 
as follows : SK ij{IDl ^ JDv) = {sk ij{IDlj _ JDv) , sk Wu(IDu _ JDv) : wO is a prefix of i}. With WO and 
Wl represent respectively node right and node left. 
Setup(l fc ,iV = 2 l ) 

The root PKG with ID\ does the following : 

1. IG is run to generate groups Gi,Gt of order q and bilinear map e. 

2. A random generator g of G\ is selected 

3. Ppubx = g l S G\*. 

4. Calculate e(g,g) = x, e(g,g) ai = x ai = yi , e(g,g) a2 = x a2 = y 2 ,...,e(g, g) av = x a " = y v . 
(or rather g ai , g a2 ,...,g av ). 

M pk = {GuGt, P P ub v x, yi ,g a \y 2 ,g a2 ...,y v ,g av }, M sk = {l, ai / 1 < i < v } 

The following algorithm is a helper method, it is called by the Setup and Upd algorithms. 
CompNext(sA; tt)) / l , w, {ID\...ID V )) 

It takes a secret key sk W:V , a node w, and an ID-tuple, and outputs keys sk( w0 ^ v , sk( w i^ v for 
time nodes wO and wl of (ID\...ID V ). 

1. Parse w as wi...Wd, where = d. Parse ID-tuple as IDi, ...,ID V . Parse sk Wj h 
associated with time node w, for all 1< k < d and 1 < j < v. 

2. Choose random s^+i)j £ Z q for all 1 < j < h. 

3. Set S( w0 ) :V = 

a d+l^+ w0 ° I A 1 + a d+l,2+ w0 ° I A 2 +---+ a d+l,j-l+ w0oI A j _ 1 + s d+l,j( a d+l,j)+ VJ< - ) ° I A j 1 o d+lj+1 «d+l,D 

(g ' ,g J ,g f ,-,g~ r ^) 
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S(wl),h — 

a d+lA+ wl ° I A 1 + a d+l,2+ wloI A 2 +-'- + a d+l,j-l+ wloI A j _ 1 + a d+l,j( a d+l,j)+ wloI A j 1 a d+lj+1 a d+l,v 

(g 1 ,9 T ,9 f ,-,9~ 

4. Erase s^+i),j for all 1 < j < v. 

KeyDerCS^,^!),*, (/£>i...IA,)) 

Let Eh be an entity that joins the hierarchy during the time period i < N - 1 with ID-tuple 
(ID\, ID v ).E' h s parent generates E' v s key SKi )V using its key SKi ( v _]\ as follows : 

1. Parse i as where 1 = log 2 N. Parse Sif^n-i) as (sfc;, („_!), { sfe( i | fc _ 1 i) j ( v _i)] i fc }=0). 

2. For each value sk w ^ v _i^ in ST^^-i), E' v s parent does the following to generate E' h s key 

w as w±...Wd> where d < Z, and parse the secret key sAw^-i) as 

{S w ,(v-i),,9 l ,9 1 ))• 

(b) Choose random Sk tV £ -^g for all 1 < k < d. Recall that Sfcj is a shorthand for 
s w \ k ,(IDi...IDj) associated with time node w\ k and tuple (ID\...IDj). 

(c) Set the child entity E v : s secret point S WjV 

a l,l +w ^k oI A 1 + a 2,2+ w ^k° I A 2 +---+ a j-l,j-l+ w \k° I A j _ 1 + s d+l,j( a j,j)+ w \k° I A :j 

=9 1 • 

E' h s parent sets SKi h = (sk it h, {sk^ k _ ll ^ h }i k =o)j an d erases all other information. 

Vpd(SK ijh ,i + 1, (ID 1 ...ID V )) (where i < N -1) 

At the end of time i, an entity (PKG or individual) with ID-tuple (ID±, ID V ) does the 
following to compute its private key for time i + 1, as in the fs-PKE scheme []. 

1. Parse i as where \i\ = 1. Parse SKi jV as (sk^^ v , {sk^ k _ 1 \)^ v }i k = 0). Erase sk^^- 

2. We distinguish two cases. If i; = 0, simply output the remaining keys as the key 
SK( i+1 j v for the next period for ID-tuple (IDi, IDh). Otherwise, let k be the largest 
value such that = (such k must exist since i < N - 1). Let i' = Using ski^h 
(which is included as part of SKi tV ), recursively apply algorithmCompNext to generate 
keys sk^iQdi^ v for all 

< d < I — k — 1, and sk^, Qd _i v y The key sk^ IQd _i ^ will be used for decryption in the 
next time period i+1, the rest of sk keys are for computing future keys. Erase sk^ jV and 
output the remaining keys as SK( i+1 ^ v . 

Enc(i, (IDi, ...,ID V ),M) (where M G {0,l} n ) 
1. Parse i as 

2. Denote P kJ = Hi(i\ k o IDi^JDj) for all 1 < k < I and 1 < j < h. 

3. pick a random s in Z q 

4. Compute 

z s(a\ 2A +i\ 2 °ID 1 +...+a\. A M\j°ID 1 +a\ lA +i\ l oID 1 +... +<j| 1]:7 -+i|io7Di. ..ID j -\-...+a\. tl +i\joID 1 +...+a\. tj +i\joID 1 ...ID j )_ 
g / g) S ^ 2 ,i+*l 2 °^- Dl +- ••+0| J -,i+»|jo7Di+a| li i+i|io7Di+... +a\ l j+i\ioIDi...IDj+...+a\^ 1 +i\joIDi+...+a\ j j+i\joIDi...IL 

Ciphertext is C=(g ls = Ppub^^g 3 , 

s(a| 1 +i| 2 o7Di+...+a| A +i\ j oID 1 +a^ A +i\ 1 oI D ± +... +a\ 1 oID 1 ...ID j +. ..+a\ 1 +i| J -o7Di+.. .+a^ j +i\ j oID 1 ...IDj)~ 

TYl .Z 3 3 3 

Decrypt : Given C = (u',u",v')gC, IDa, cIa, M pk , follow the step 

1. Parse i as Parse SKi t h associated with the ID-tuple as (ski^h, { s &(i| fc _ii),fe}*fc=0)- 

SAdi . -i +...+a . A 



2. Compute e(u',d,A) and output m= - e<y9 ' 9 e (J 
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Comparison 



To see the efficiency of our scheme (and BBG) in forward scheme we make the following 
comparison. 





fs-HIBE [33] 


fs-with our 


Key derivation time 


0(v log 


N) 


0((v-k) logN) 


Encryption time 


0(v log 


N) 


0(v log N) 


Decryption time 


0(v log 


N) 


0(k+log N) 


Key update time 


O(v) 




O(v-k) 


Ciphertext length 


0(v log 


N) 


0(3 log N) 


Public key size 


0(v + lo 


gN) 


0(v + log N) 


Secret key size 


0(v log 


N) 


0((v-k) log N) 



c is the hierarchy children considered. 
N is the total number of the time periods, 
v is depth of the hierarchy. 



3.5 Construction of CCA2 

This section is reserved to signal the technique to be used to obtain a CCA2 from CPA. 
To render CPA a CCA2, there are some techniques : 

For an IBE or HIBE with random oracle we can use the two method given by Fujusiki Okamoto 
[34] 

For an IBE or HIBE without random oracle, there are also two techniques : 
That's of [13] at which we use one-time signature. 
That's of [35] at which we add a MAC. 

So using one of these last technique can render our scheme CCA2 secure. 



4 Conclusion 

In these papers, we have study the competition between the best-known cryptosystems of the 
cryptography IBE. Our approach is more accurate than the only method made in this direction of 
Boyen. Even if we follow a very simple strategy but it is so effective to clarify the cryptosystems 
that deserve a standardized participation. We concluded that the pattern of Boneh and Franklin 
in the field of RO, is the most effective, but we recommend using one of Skai Kasarah since Boneh 
and Franklin projects into an elliptic curve which limit the selection of curve, it may so pose a 
problems of security. And we note that unlike the results of Boyen the BB1 is late compared to 
others. In general we can say that the scheme of Water is the most preferable as it is traced in the 
domain of SM, more it has an important classification. Following the criteria considered SK and 
BF are the most helpful. 

This study is very useful to cryptographers, because we surveying the very recents recherches in 
IBE. More we shows the weakness and strength of every cryptosystem in competition, which can 
facilitate to make an improvement to admit a more practical cryptosystems. 
More than that, we have presented two efficient schemes in the model selective ID and without 
random oracle (which is our second contribution behind this work). With a little change in the 
schemes of Boneh and Boyen we get a more efficient schemes. The change is make in BB2 (change 
S + ID by which permit to eliminate the use of two pairing in the Decrypt of IBE and, more the 
resulting scheme is traced in the approach of commutative Blinding. Effectively as it is presented 
in this article, the complexity of our scheme is less than that of BB1 (version IBE) and even than 
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that of BB2. More than that, we have based our prove of security in D/c~-BDHIP which is an 
efficient problem than Dk-BDHIP used by BB2, since with this latter, k is linked essentially to 
the numbers of identity to be challenged. By contrast, with our we are not, any k~ can serve us, 
we can take as title of example k~=2, which make DA;~-BDHIP in competition with DBDHP 
(Dl-BDHIP) used by BB1. In other part, using our syntax of IBE in HIBE and using the 
technique of BBG (Boneh Boyen Goh) we get a more efficient HIBE than BB1 and BBG. The 
efficiency by comparison with BB1, is clearly seen in complexity. With our proposition, the 
technique of BBG will be more efficient. Because, with our proposition the complexity will be 
reduced. More than that, our HIBE support s + -ID (which require a degradation by v in the 
studies of simulations) and we can not demand that the identity to be challenged will be in Z* as 
with BBG. This render BBG more restricted, as we are are not free to choose the identity to be 
challenged. Using our proposition in some applications like Forward Encryption make them more 
efficient. 

Thus, during all these papers, we have presented an efficient IBE and HIBE without random 
oracle. With a little change in BB2 we obtain an efficient schemes than BB1 and BB2, which are 
considered until 2011 (Journal of Cryptology) as the most efficient schemes in the model selective 
ID and without random oracle. 

Acknowledge 

We would like to thank the head of our laboratory Mr.Aboutajdinne Driss. 

References 

[1] A. Shamir. Identity-based cryptosystems and signature schemes. In G. R. Blakley and Da- 
vid Chaum, editors, Advances in Cryptology - CRYPTO'84, volume 196 of Lecture Notes in 
Computer Science, pages 47-53. Springer- Verlag, 1985. 

[2] D. Boneh and M. Franklin. Identity based encryption from the Weil pairing. SIAM Journal on 
Computing, 32(3) :586-615, 2003. 

[3] D. Boneh and X. Boyen. Efficient selective-ID secure identity based encryption without random 
oracles. In Christian Cachin and Jan Camenisch, editors, Advances in Cryptology - EURO- 
CRYPT 2004, volume 3027, pages 223-238, 2004. 

[4] R. Sakai and M. Kasahara. ID based cryptosystems with pairing on elliptic curve. Cryptology 
ePrint Archive, Report 2003/054. 

[5] B. Waters. Efficient identity-based encryption without random oracles. In Ronald Cramer, edi- 
tor, Advances in Cryptology - EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer 
Science, pages 114-127. Springer- Verlag, 2005. 

[6] Gentry. Practical identity-based encryption without random oracles. In Serge Vaudenay, editor, 
Advances in Cryptology - EUROCRYPT 2006, volume 4004 of Lecture Notes in Computer 
Science, pages 445-464. Springer- Verlag, 2006. 

[7] E. Kiltz, Y. Vahlis. CCA2 Secure IBE : Standard Model Efficiency through Authenticated 
Symmetric Encryption. CT-RSA 08, Lecture Notes in Computer Science Vol. , T. Malkin ed., 
Springer- Verlag, 2008. 

[8] E. Kiltz. Chosen-ciphertext secure identity-based encryption in the standard model with short 
ciphertexts. Cryptology ePrint Archive, Report 2006/122, 2006. 



32 



[9] IEEE P1363.3 Committee. IEEE 1363.3 - standard for identity-based cryptographic techniques 
using pairings. |http ://grouper .ieee.o rg/groups/1363/ , April 2007. 

[10] X. Boyen. The BB1 identity-based cryptosystem : A standard for encryption and key encapsu- 
lation. Submitted to IEEE 1363.3, aug 2006. http ://grouper. ieee.org/groups/1363/ , 

[11] X. Boyen. A tapestry of identity-based encryption : Practical frameworks compared. Interna- 
tional Journal of Applied Cryptography, 1(1) :3-21, 2008. 

[12] M. Bellare, A. Desai, D. Pointcheval, and Ph Rogaway. Relations among notions of security for 
public- key encryption schemes, volume 1462 Lecture Notes in Computer Science, pages 26-45. 
Springer- Verlag, 1998 

[13] R. Canetti, S. Halevi, and J. Katz. Chosen-ciphertext security from identity-based encryption. 
In Advances in CryptologyEUROCRYPT, volume 3027 of LNCS, pages 20722. Springer- Verlag. 

[14] Sanjit Chatterjee and Palash Sarkar. Constant Size Ciphertext HIBE in the Augmented 
Selective-ID Model and its Extensions. IACR eprint archive report 084/2007. 

[15] J. Horwitz and B. Lynn. Toward hierarchical identity-based encryption. In Lars R. Knud- 
sen, editor, Advances in Cryptology - EUROCRYPT 2002, volume 2332 of Lecture Notes in 
Computer Science, pages 466-481. Springer- Verlag, 2002. 

[16] C. Gentry and A. Silverberg. Hierarchical ID-based cryptography. In Yuliang Zheng, editor, Ad- 
vances in Cryptology - ASIACRYPT 2002, volume 2501 of Lecture Notes in Computer Science, 
pages 548-566. Springer- Verlag, 2002. 

[17] D. Boneh, X. Boyen, and Eu-Jin Goh. Hierarchical identity based encryption with constant size 
ciphertext. In Ronald Cramer, editor, Advances in Cryptology - EUROCRYPT 2005, volume 
3494 of Lecture Notes in Computer Science, pages 440-456. Springer- Verlag, 2005. 

[18] D. Boneh and X. Boyen. Efficient selective-ID secure identity based encryption without random 
oracles. Journal of Cryptology (JOC), 24 (4) :659-693, 2011. Extended abstract in proceedings 
of Eurocrypt 2004, LNCS 3027, pp. 223-238, 2004 i.e [5] 

[19] L. Chen, Zh. Cheng n Security Proof of Sakai-Kasahara's Identity-Based Encryption Scheme n 
In Proceedings of Cryptography and Coding 2005. 

[20] J. Cheon. Security analysis of the strong Diffie-Hellman problem. In Serge Vaudenay, ed- itor, 
EUROCRYPT 2006, volume 4004 of LNCS, pages 1-11. Springer- Verlag, Berlin, Germany, May 
/ June 2006. 

[21] M. Bellare and P. Rogaway. Random oracles are practical : a paradigm for designing ecient 
protocols. In Proceedings of the First Annual Conference on Computer and Communications 
Security, ACM, 1993. 

[22] Gaetan Leurent and Phong Q. Nguyen. How risky is the random-oracle model? In Halevi [18], 
pages 445464. 

[23] D. Galindo. A separation between selective and full-identity security notions for identity-based 
encryption Available on : IACR eprint archive. 

[24] L Martin. "Introduction To Identity Based Encryption". Available at : 
http ://www.art echhous e.com/GetBlob.aspx ?strName=Martin- 238-CH0 4pdf| 

[25] D. Galindo n Boneh- Franklin identity based encryption revisited n. In Proceedings of the 32nd 
International Colloquium on Automata, ICALP 2005. 

[26] S. Galbraith, K. Paterson, and N. Smart. Pairings for cryptographers. Discrete Applied Ma- 
thematics, 156(16) :3113-3121, 2008. 



33 



[27] S. Marie- Aude n Etude de la Primalite motivee par le besoin de Nombres Premiers dans le 
Chiffrement RSA n sur le site : |http ://www- magistere,u-strasbg.fr/IMG/pdf/MA Steineur.pdf| 

[28] H.Cohen, G. Frey. Handbook of Elliptic and Hyperelliptic Curve Cryptography. 

[29] Tetsuya Izu and Tsuyoshi Takagi. Efficient Computations of the Tate Pairing for the Large 
MOV Degrees. In ICISC 2002, volume 2587 of Lecture Notes in Computer Science, pages 283- 
297. Springer Verlag, 2003. 

[30] Nadia El Mrabet, Arithmetique des couplages, performance et resistance aux attaques par 
canaux caches. December 2009, These. 

[31] N. Koblitz and A. Menezes. Pairing-based cryptography at high security levels. In Nigel P. 
Smart, editor, Cryptography and Coding, volume 3796 of Lectures Notes in Computer Science, 
pages 13-36, Berlin, Heidelberg, 2005. Springer- Verlag. 

[32] Galindo and Ichiro Hasuo. Security Notions for Identity Based Encryption, available on : 
http ://eprint.iacr.org/2005/253~] 

[33] D. (Daphne) YAO, N.FAZIO , Y.DODIS and A.LYSYANSKAYA. Forward-Secure Hierarchical 
IBE with Applications to Broadcast Encryption. Chapiter of book : Identity-Based Cryptogra- 
phy, in M. Joye and G. Neven (Editors). 2009. 

[34] E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption 
schemes. In Proceedings of Advances in Cryptology - CRYPTO '99, LNCS 1666, pp. 535-554, 
Springer- Verlag, 1999. 

[35] D. Boneh and J. Katz. Improved efficiency for CCA-secure cryptosystems built using identity 
based encryption. Submitted for publication, 2004. 



34 



